44975

Retired Member

Usernames and passwords: everybody hates them

31 January 2013 | 3929 views | 7

"Many Americans would rather clean toilets than try to come up with a new username or password for sites requiring online logins, a new study shows."*

Protecting confidential information within biller self-serve websites through enrollment, and the choosing and remembering of a unique username and password is a process that is universally hated by consumers. So, the question is: if everybody hates it, why
is it still so prevalent?

As a test, I called up my utility, my insurance company, my bank and my credit card provider: Each time I was asked one, two or three very simple questions to ascertain my identity. I was then allowed full access to my account information. If I can do this
over the phone, why can’t I do it online?

Delta is the only website I know of that had this very convenient way to access my SkyMiles account and I never had any trouble logging in. Recently they too moved to usernames and passwords. I have since reset my password three times and called them twice
because I forgot one or the other. It’s been a lousy experience for me, and one that has already cost them more than $50 in customer service.

Enrol online and you assume all the risk
In all instances the biller knows enough about their customers to eliminate the need for usernames and passwords. Instead, billers could present a set of questions based on customer's personal information, known to both parties (referred to as shared secrets)
– such as partial social security or credit card number, date of birth or a combination of these. The less sensitive the information being accessed, the less stringent the questions can be. A utility and a credit card provider would have very different levels
of questions.

So why do most/all billers still request usernames and passwords? The answer is in liability. The biller is passing the ‘risk’ of transacting online onto their consumer.

Consumers inevitably use the same usernames and passwords as often as possible and in many instances they are so simple that they can be guessed or hacked with ease. Thus this process is simply not secure. Research published in Digital
Journal proves this: ‘Password’ is the number one chosen password and ‘123456’ is the second. The biller allows this, as they have passed the onus onto the consumer to create good passwords.

There is also massive cost to the biller: Forgotten passwords and other password related problems are the second most common help desk call. (According to Forrester Research, the average cost of a help desk call is about $25.)

In summary:

Customer created usernames and passwords are not secure

It’s a terrible customer experience

It’s costly for the biller

It’s high risk / not secure for the customer

There has to be a better way. There is a better way:

It’s time to eliminate usernames and passwords forever! You can do so while maintaining the appropriate levels of security, and delivering the best possible customer experience.

In this day and age where people bare their souls on Facebook / equivalent, I wonder if any shared secret is really known only to the biller and the customer. In the interest of avoiding repetition, let me refer to my comments
here.

I think this Microsoft Research paper gets it absolutely right when it says, "Despite countless attempts and near-universal desire to replace them, passwords
are more widely used and firmly entrenched than ever... and not only will passwords be with us for some time, but in many instances they are the solution which best fits the scenario of use."

An excelent blog that hits a big nail firmly on the head. We were looking at bank security as a featured topic in our Mapa Research Insight series recently and noticed that some banks, in clear acknowledgement of the user name and password frustration, had
developed a " light" log-in option for customers.These allow them to more easily view their account status without needing to fully log in.

At the other end that will also explain the widespread use by banks of one time passwords and secure codes for sensitive transactions.

I also remember a UK research finding that said we all used just one password for everything... another problem to add

I guess people are not aware enough of single sign on type of solutions out there like lastpass. This alleviates the pain of having to remember complex and multiple user id's and passwords. It doesn't alleviate the risk of social engineered hacks and/or
other type of hacks as Obama found out just last weekend ...